As if there weren't enough headlines about malicious bogus Pokémon Go apps for Android, and thieves using the game ambush and rob unsuspecting players, privacy concerns have now been raised about the iOS edition of the app.
Adam Reeve found that players of the iOS version of Pokémon Go who signed into the app via Google, were unwittingly giving the Nintendo game - developed by Nantic - full access to their Google account:
Let me be clear - Pokemon Go and Niantic can now:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
And they have no need to do this - when a developer sets up the “Sign in with Google” functionality they specify what level of access they want - best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.
Other players of Pokémon Go - including popular security tweeter @SwiftOnSecurity - confirmed that the app had grabbed full access to their Google accounts.
I like to imagine this is a cockup rather than a conspiracy, and that the game's developers do not have any malicious intent, but this really doesn't sound good at all.
Hopefully a new fixed version of the Pokémon Go app for iOS will be released sooner rather than later.
In the meantime, players may wish to revoke the game's access to their Google account.